- Add `server.config_upstream_url` default in `roles/web-app-bluesky/config/main.yml`
to define upstream for /config (defaults to https://ip.bsky.app/config).
- Introduce front-proxy injection `extra_locations.conf.j2` that:
- proxies `/config` to the upstream,
- sets SNI and correct Host header,
- normalizes CORS headers for same-origin consumption.
- Wire the proxy injection only for the Web domain in
`roles/web-app-bluesky/tasks/main.yml` via `proxy_extra_configuration`.
- Force fresh social-app checkout and patch
`src/state/geolocation.tsx` to `const BAPP_CONFIG_URL = '/config'`
in `roles/web-app-bluesky/tasks/02_social_app.yml`; notify `docker compose build` and `up`.
- Tidy and re-group PDS env in `roles/web-app-bluesky/templates/env.j2` (no functional change).
- Add vars in `roles/web-app-bluesky/vars/main.yml`:
- `BLUESKY_FRONT_PROXY_CONTENT` (renders the extra locations),
- `BLUESKY_CONFIG_UPSTREAM_URL` (reads `server.config_upstream_url`).
Security/Scope:
- Only affects the Bluesky web frontend (same-origin `/config`); PDS/API and AppView remain unchanged.
Refs:
- Conversation: https://chatgpt.com/share/68b8dd3a-2100-800f-959e-1495f6320aab
- Renamed role `srv-tls-core` → `sys-svc-certs`
- Renamed role `srv-https-stack` → `sys-stk-front-pure`
- Renamed role `sys-stk-front` → `sys-stk-front-proxy`
- Updated all includes, READMEs, meta, and dependent roles accordingly
This improves clarity and consistency of naming conventions for certificate management and proxy orchestration.
See: https://chatgpt.com/share/68b19f2c-22b0-800f-ba9b-3f2c8fd427b0
